b'Office\xc2\xa0of Inspector General\n\n\n\n         Evaluation of the FMC\xe2\x80\x99s\n   FY 2012 Privacy and Data Protection\n\n                 A13-02\n\n\n\n\n           December 2012\n\n\n\nFEDERAL MARITIME COMMISSION\n\x0c                              FEDERAL MARITIME COMMISSION\n                                 800 North Capitol Street, N.W.\n                                    Washington, DC 20573\n\n                                      December 6, 2012\nOffice of Inspector General\n\n\nTO:              Chairman Richard A. Lidinsky\n                 Commissioner Joseph E. Brennan\n                 Commissioner Mario Cordero\n                 Commissioner Rebecca F. Dye\n                 Commissioner Michael A. Khouri\n\n\nFROM:            /Adam R. Trzeciak/\n                 Inspector General\n\nSUBJECT:         OIG Report on Privacy and Data Protection\n\nThe Office of Inspector General (OIG) performed a review of privacy and data protection\npolicies and procedures to determine if the Federal Maritime Commission (FMC) is\ncomplying with Section 522 of the Consolidated Appropriations Act, 2005, (42 U.S.C.A.\n\xc2\xa7 2000ee-2).\n\nSection 522 requires an independent third-party review of agency use of personally\nidentifiable information (PII) and of its privacy and data protection policies and\nprocedures at least every two years. PII is information which can be used to distinguish\nor trace an individual\'s identity, such as their name, social security number, biometric\nrecords, etc., alone, or when combined with other personal or identifying information,\nwhich is linked or linkable to a specific individual, such as date and place of birth,\nmother\xe2\x80\x99s maiden name, etc. This evaluation satisfies the required third-party review.\n\nThe agency has improved its privacy program since our last review in 2010. For\nexample, it closed two of four deficiencies and has created policies and procedures to log,\nverify and reassess data extracts from databases holding sensitive information for longer\nthan 90 days. Also, the agency removed the FMC-18 Privacy Impact Assessment (PIA)\nfrom its website because FMC-18 is a component of another system, FMC Database, and\ndid not require a PIA.\n\nWe also identified areas where controls in select areas can be improved. The FMC\xe2\x80\x99s\nSenior Agency Official for Privacy, the Privacy Act Officer, the Chief Information\nOfficer and senior managers have responsibility for agency systems and compliance with\nFederal laws, regulations, and policies relating to information privacy. Although there is\ninteraction and communication between these individuals, communication and\ncoordination on information privacy, including review of systems and determinations for\n\x0cPIAs, could be improved. Many subsidiary systems have not had an analysis performed\nto identify if a PIA is required for completion. We also identified concerns with System\nof Records Notices (SORNs) postings and \xe2\x80\x9croutine uses\xe2\x80\x9d for systems. Three existing\nPIAs are outdated and the agency has not informed the public about some systems\ncontaining PII.\n\nApart from this mandated review of Privacy Act compliance, the OIG also opened a\nnonpublic investigation into privacy matters involving the use of computer monitoring\nsoftware at the FMC between June 2011 and December 2011.\n\nThe OIG met with management who concurs with our findings and recommendations.\nManagement comments are attached to this report.\n\nThe OIG wishes to thank the Privacy Act Officer, the Senior Agency Official for Privacy\nand the Chief Information Officer for their assistance. I am available at your\nconvenience to discuss the report\xe2\x80\x99s findings and recommendations.\n\ncc:    Ronald Murphy, Managing Director\n       Karen Gregory, Privacy Act Officer\n       Austin Schmitt, Senior Agency Official for Privacy\n       Anthony Haywood, Chief Information Officer\n\n\n\n\n                                           -2-\n\x0cFEDERAL MARITIME COMMISSION\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n  Evaluation of the FMC\xe2\x80\x99s FY 2012\n    Privacy and Data Protection\n\x0c                                                       TABLE OF CONTENTS\n\n\nBACKROUND ............................................................................................................................... 1\xc2\xa0\n\nEXECUTIVE SUMMARY ............................................................................................................ 1\xc2\xa0\n\nOBJECTIVES AND SCOPE .......................................................................................................... 2\xc2\xa0\n\nCURRENT YEAR FINDINGS ...................................................................................................... 2\xc2\xa0\n\nMANAGEMENT RESPONSES .................................................................................................... 3\xc2\xa0\n\n   01 SAOP, CIO, OIT Director, and PAO Coordination\xc2\xa0...............................................................\xc2\xa04\xc2\xa0\n\n   02 System of Records Notices and Routine Use Review\xc2\xa0............................................................\xc2\xa08\xc2\xa0\n\n   03 Privacy Impact Assessments\xc2\xa0................................................................................................\xc2\xa011\xc2\xa0\n\nPRIOR YEAR RECOMMENDATIONS ..................................................................................... 13\xc2\xa0\n\x0c                                           BACKROUND\n\nYour Internal Controls (contractor), on behalf of the Federal Maritime Commission (FMC),\nOffice of Inspector General (OIG), conducted an independent evaluation of the quality of the\nFMC privacy program and its compliance with applicable federal computer security laws and\nregulations.\n\nThe Privacy Act of 1974 regulates the use of personal information by the United States\nGovernment. Specifically it establishes rules that determine what information may be collected\nand how information can be used in order to protect the personal privacy of U.S. citizens.\n\nThe Privacy Act applies to Federal Government Agencies and governs their use of a system of\nrecords, which is defined as \xe2\x80\x9cany group of records under the control of any agency from which\ninformation is retrieved by the name of an individual or by some identifying number, symbol, or\nother identifying particular assigned to the individual.\xe2\x80\x9d\n\nThe following rules govern the use of a system of records:\n\n   \xe2\x80\xa2   No Federal Government record keeping system may be kept secret.\n   \xe2\x80\xa2   No agency may disclose personal information to third parties without the consent of the\n       individual (with some exceptions).\n   \xe2\x80\xa2   No agency may maintain files on how a citizen exercises their First Amendment rights.\n   \xe2\x80\xa2   Federal personal information files are limited only to data that is relevant and necessary.\n   \xe2\x80\xa2   Personal information may be able to be used for the purposes it was originally collected\n       unless consent is received from the individual.\n   \xe2\x80\xa2   Citizens must receive notice of any third party disclosures including with whom the\n       information is shared, the type of information disclosed and the reasons for its disclosure.\n   \xe2\x80\xa2   Citizens must have access to the files maintained about them by the Federal Government.\n   \xe2\x80\xa2   Citizens must have the opportunity to correct or amend any inaccuracies or\n       incompleteness in their files.\n\n                                     EXECUTIVE SUMMARY\n\nThe OIG performed a Privacy and Data Protection review in accordance with privacy and data\nprotection related laws and guidance (e.g. Privacy Act of 1974, OMB memorandums,\nConsolidated Appropriations Act of 2005 etc.). The Consolidated Appropriations Act of 2005\nrequires agencies to assign a Chief Privacy Officer (CPO) who is responsible for identifying and\nsafeguarding personally identifiable information (PII) and requires an independent third-party\nreview of agency use of PII and of its privacy and data protection policies and procedures at least\nevery two years.\n\nThe agency has improved its privacy program since our last review in 2010. For example, it\nclosed two of four deficiencies and has created policies and procedures to log, verify, and\nreassess data extracts from databases holding sensitive information after 90 days. Also, the\nagency removed the FMC-18 Privacy Impact Assessment (PIA) from its website because FMC-\n18 is a component of another system (FMCDB) and did not require a PIA. We also identified\n\n                                                1\n\x0careas where controls in select areas can be improved. These issues are discussed in this report as\nnoted below.\n\n                                   OBJECTIVES AND SCOPE\n\nThe objective was to perform a privacy and data protection review. The contractor performed\nthe following:\n\n   \xe2\x80\xa2   Conducted a review of the FMC\xe2\x80\x99s privacy and data security policies, procedures and\n       practices in accordance with regulations.\n   \xe2\x80\xa2   Reviewed the agency\xe2\x80\x99s technology, practices and procedures with regard to the\n       collection, use, sharing, disclosure, transfer and storage of information in identifiable\n       form.\n   \xe2\x80\xa2   Reviewed the agency\xe2\x80\x99s stated privacy and data protection procedures with regard to the\n       collection, use, sharing, disclosure, transfer, and security of personal information in\n       identifiable form relating to agency employees and the public.\n   \xe2\x80\xa2   Performed a detailed analysis of the agency\xe2\x80\x99s intranet, network, and website for privacy\n       vulnerabilities (through vulnerability scans and review of source documents):\n           o Assessed compliance with stated practices, procedures, and policy.\n           o Assessed the risk of inadvertent release of information in an identifiable form\n               from the website of the agency.\n   \xe2\x80\xa2   Issued recommendations for improvements or enhancements to management of\n       information in identifiable form, and the privacy and data protection procedures of the\n       agency.\n   \xe2\x80\xa2   Assessed the agency\xe2\x80\x99s progress toward implementing corrective actions in prior audit\n       reports.\n\n                                  CURRENT YEAR FINDINGS\n\nThe agency has taken steps to enhance Privacy Act compliance efforts. All employees are\nrequired to undergo annual privacy training to include safeguarding PII. The agency also\ndeveloped and implemented a number of formal policies and/or guidelines. For example, in June\nof 2012, the agency issued a memorandum informing employees of their responsibilities for\nsafeguarding PII. Additionally, in March of 2011, the agency developed and implemented\npolicies regarding security of data on Personal Digital Assistants (PDA) and a Management\nDirective addressing Cybersecurity awareness briefings for all new employees and annual\nsecurity awareness training for current employees. The Management Directive also addresses\nspecialized training for select IT personnel to ensure they are properly deploying security\nawareness throughout the agency. The training focuses on security, which includes privacy over\nthe data residing on the FMC\xe2\x80\x99s network. The agency also has well-established policies\ndocumenting the various privacy act requirements, as well as procedures for complying with the\nvarious privacy regulations and developing a PIA.\n\n\n\n\n                                                2\n\x0cWhile we identified program strengths, we also noted areas where improvement is possible.\nThe FMC\xe2\x80\x99s SAOP, CIO, PAO and senior managers have responsibility for the agency\xe2\x80\x99s systems\nand compliance with Federal laws, regulations, and policies relating to information privacy.\nAlthough there is interaction and communication between these individuals, communication and\ncoordination on information privacy, including review of systems and determinations for PIAs,\ncould be improved. Many subsidiary systems, including FMC-2, FMC-7, and FMC-24 have not\nhad an analysis performed to identify if a PIA is required for completion. We also identified\nconcerns with System of Records Notices (SORNs) postings and \xe2\x80\x9croutine uses\xe2\x80\x9d for systems.\nThree existing PIAs are outdated and the agency has not informed the public about some systems\ncontaining PII.\n\n                                MANAGEMENT RESPONSES\n\nWe have included management\xe2\x80\x99s response to the OIG recommendation(s) at the end of the\nreport. The OIG has closed two of four recommendations based on management\xe2\x80\x99s response and\nOIG follow up. The OIG was unable to assess corrective actions on the remaining two\nrecommendations without detailed follow up and/or additional fieldwork. The OIG will perform\nall necessary verification processes in the FY 2013 FISMA cycle.\n\n\n\n\n                                              3\n\x0c          01 SAOP, CIO, OIT Director, and PAO Coordination\nCondition:\n\nThere are 25 systems at the FMC that reside within different offices at the agency. The areas of\nresponsibility reside with the Privacy Act Officer, Senior Agency Official for Privacy (SAOP),\nand the respective managers of systems of records. The Privacy Act Officer works toward the\nimplementation and enforcement of the Privacy Act by, for example, publishing systems of\nrecords in the Federal Register, reviewing privacy policies and coordinating with the SAOP. The\nSAOP ensures steps are taken to protect personal data from unauthorized use in consultation with\nmanagers and the Privacy Act Officer. The SAOP also conducts periodic reviews of privacy\ndocumentation. The managers of systems of records inform the Privacy Act Officer regarding the\nexistence of systems, monitor routine use, and assist in the safeguarding of privacy data. The list\nof agency systems is noted below:\n\n                                           Privacy Systems\n              1.   GSS Network (electronic system)\n                       a. FMC \xe2\x80\x93 2 (Non-Attorney Practitioner File \xe2\x80\x93 paper and electronic system)\n                       b. FMC \xe2\x80\x93 24 (Informal Inquiries and Complaints Files \xe2\x80\x93 paper and\n                            electronic system)\n                       c. FMC \xe2\x80\x93 32 (Regulated Persons Index \xe2\x80\x93 electronic system)\n              2.   SERVCON (electronic system)\n              3.   FMCDB (electronic system)\n                       a. FMC-1 (paper system)\n                       b. FMC-18 (paper system)\n              4.   Systems residing on personal computers or storage media\n                       a. FMC \xe2\x80\x93 7 (Licensed Ocean Transportation Intermediaries Files \xe2\x80\x93 paper\n                            and electronic system)\n                       b. FMC \xe2\x80\x93 22 (Records Tracking System \xe2\x80\x93 paper and electronic system)\n                       c. FMC \xe2\x80\x93 25 (Inspector General File \xe2\x80\x93 electronic system)\n                       d. FMC \xe2\x80\x93 31 (Debt Collection Files \xe2\x80\x93 paper and electronic system)\n              5.   Office of Personnel Management (OPM) systems\n                       a. FMC \xe2\x80\x93 8 (Official Personnel Folder \xe2\x80\x93 electronic system)\n                       b. FMC \xe2\x80\x93 9 (Training Program Records \xe2\x80\x93 electronic system)\n                       c. FMC \xe2\x80\x93 14 (Medical Examination File \xe2\x80\x93 electronic system)\n                       d. FMC \xe2\x80\x93 16 (Classification Appeals File \xe2\x80\x93 electronic system)\n                       e. FMC \xe2\x80\x93 19 (Financial Disclosure Reports and Other Ethics Program\n                            Records \xe2\x80\x93 electronic system)\n                       f. FMC \xe2\x80\x93 28 (Equal Employment Opportunity Complaints Files \xe2\x80\x93\n                            electronic system)\n                       g. FMC \xe2\x80\x93 29 (Employee Performance File System Records \xe2\x80\x93 electronic\n                            system)\n              6.   Paper based systems\n                       a. FMC \xe2\x80\x93 10 (Desk Audit File \xe2\x80\x93 paper based system)\n                       b. FMC \xe2\x80\x93 26 (Administrative Grievance File \xe2\x80\x93 paper based system)\n                       c. FMC \xe2\x80\x93 33 (Payroll/Personnel System \xe2\x80\x93 paper and electronic system)\n                       d. FMC \xe2\x80\x93 34 (Travel Charge Card Program \xe2\x80\x93 electronic system)\n                       e. FMC \xe2\x80\x93 35 (Transit Benefits File \xe2\x80\x93 electronic system)\n                       f. FMC \xe2\x80\x93 36 (SmartPay Purchase Charge Card Program \xe2\x80\x93 electronic\n                            system)\n\n\n\n\n                                                    4\n\x0cSpecifically, the following was noted:\n\n            1. The SAOP, PAO, CIO, and OIT Director are recognized as needing better\n               coordination of privacy related requirements to ensure compliance with Privacy\n               regulations.\n\n            2. All systems housing PII should be assessed to determine if a PIA is warranted.\n               The PIA will help to ensure that controls are deployed on those systems that are\n               commensurate with the PII residing on those systems. There are 22 systems where\n               management has not determined whether a PIA is required and, if so, whether the\n               PIA should be placed on the agency\xe2\x80\x99s website. This deficiency focuses on the\n               lack of PIA determination and not the controls over the PII residing on those\n               systems. Some of the systems are managed by third parties and do not require a\n               PIA. Some of the systems are also protected physically and have no data in\n               electronic format. Thus, management must a determination whether a PIA is\n               needed then takes steps to ensure that controls deployed throughout the various\n               systems are strong enough to protect against PII exploitation.\n\n\nCriteria:\n\n   1. The National Institute of Standards and Technology (NIST) describes how an agency can\n      identify Personally Identifiable Information (PII), enabling the agency to properly\n      maintain an inventory of systems and what PII resides on each of those systems. The\n      NIST guidance also provides guidance on how to perform a PIA. See NIST 800-122\n      Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),\n      section 2.1:\n\n\xe2\x80\x9cOrganizations should use a variety of methods to identify all PII residing within their\norganization or under the control of their organization through a third party (e.g., a system being\ndeveloped and tested by a contractor). Privacy threshold analyses (PTAs), also referred to as\ninitial privacy assessments (IPAs), are often used to identify PII. Some organizations require a\nPTA to be completed before the development or acquisition of a new information system and\nwhen a substantial change is made to an existing information system. PTAs are used to\ndetermine if a system contains PII, whether a Privacy Impact Assessment is required, whether a\nSystem of Records Notice (SORN) is required, and if any other privacy requirements apply to\nthe information system. PTAs should be submitted to an organization\xe2\x80\x99s privacy office for review\nand approval. PTAs are often comprised of simple questionnaires that are completed by the\nsystem owner. PTAs are useful in initiating the communication and collaboration for each\nsystem between the privacy officer, the information security officer, and the information officer.\nOther examples of methods to identify PII include reviewing system documentation, conducting\ninterviews, conducting data calls, or checking with system owners.\xe2\x80\x9d\n\n\n\n\n                                                 5\n\x0c   2. NIST also describes the various elements making up PII. The elements below shall be\n      considered when assessing the PII in systems maintained by the FMC, as noted in NIST\n      800-122 section 2.1:\n\n\xe2\x80\x9cThis publication uses the definition of PII from OMB Memorandum 07-16, which is\ninformation which can be used to distinguish or trace an individual\'s identity, such as their name,\nsocial security number, biometric records, etc., alone, or when combined with other personal or\nidentifying information which is linked or linkable to a specific individual, such as date and\nplace of birth, mother\xe2\x80\x99s maiden name, etc. To distinguish an individual is to identify an\nindividual.\xe2\x80\x9d\n\n   \xe2\x80\xa2   Name, such as full name, maiden name, mother\xe2\x80\x99s maiden name, or alias;\n   \xe2\x80\xa2   Personal identification number, such as SSN, passport number, driver\xe2\x80\x99s license number,\n       taxpayer identification number, patient identification number, and financial account or\n       credit card number;\n   \xe2\x80\xa2   Address information, such as street address or email address;\n   \xe2\x80\xa2   Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)\n       address or other host-specific persistent static identifier that consistently links to a\n       particular person or small, well-defined group of people;\n   \xe2\x80\xa2   Telephone numbers, including mobile, business, and personal numbers;\n   \xe2\x80\xa2   Personal characteristics, including photographic image (especially of face or other\n       distinguishing characteristic), x-rays, fingerprints, or other biometric image or template\n       data (e.g., retina scans, voice signature, facial geometry);\n   \xe2\x80\xa2   Information identifying personally owned property, such as vehicle registration or\n       identification number, and title numbers and related information; and\n   \xe2\x80\xa2   Information about an individual that is linked or linkable to one of the above (e.g., date of\n       birth, place of birth, race, religion, weight, activities, or employment, medical, education,\n       or financial information).\n\n   3. The OMB has specific requirements regarding when and how a PIA should be conducted.\n      This criteria states the instances when a PIA shall be performed as noted by OMB\n      Memorandum 03-22 section II.B.2:\n\nThe E-Government Act of 2002 requires agencies to conduct a PIA. In general, PIAs are\nrequired to be performed and updated as necessary where a system change creates new privacy\nrisks. For example:\n\n   \xe2\x80\xa2   Conversions - when converting paper-based records to electronic systems;\n   \xe2\x80\xa2   Anonymous to Non-Anonymous - when functions applied to an existing information\n       collection change anonymous information into information in identifiable form;\n   \xe2\x80\xa2   Significant System Management Changes - when new uses of an existing IT system,\n       including application of new technologies, significantly change how information in\n       identifiable form is managed in the system;\n   \xe2\x80\xa2   Significant Merging - when agencies adopt or alter business processes so that government\n       databases holding information in identifiable form are merged, centralized, matched with\n       other databases or otherwise significantly manipulated;\n\n                                                6\n\x0c   \xe2\x80\xa2     New Public Access - when user-authenticating technology (e.g., password, digital\n         certificate, biometric) is newly applied to an electronic information system accessed by\n         members of the public;\n   \xe2\x80\xa2     Commercial Sources - when agencies systematically incorporate into existing\n         information systems databases of information in identifiable form purchased or obtained\n         from commercial or public sources. (Merely querying such a source on an ad hoc basis\n         using existing technology does not trigger the PIA requirement);\n   \xe2\x80\xa2     New Interagency Uses - when agencies work together on shared functions involving\n         significant new uses or exchanges of information in identifiable form, such as the cross-\n         cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;\n   \xe2\x80\xa2     Internal Flow or Collection - when alteration of a business process results in significant\n         new uses or disclosures of information or incorporation into the system of additional\n         items of information in identifiable form;\n   \xe2\x80\xa2     Alteration in Character of Data - when new information in identifiable form added to a\n         collection raises the risks to personal privacy (for example, the addition of health or\n         financial information).\n\nCause:\n\nThere is a lack of communication and coordination between the SAOP, PAO, CIO, and OIT\nDirector, possibly leading to the absence of PIAs for some of the agency\xe2\x80\x99s systems.\n\nRisk:\n\nWithout periodic communication and coordination between the OIT, CIO, and PAO, there may\nbe PII vulnerable to exposure.\n\nRecommendation(s):\n\n   1. The system owners/managers, CIO, OIT Director, SAOP, and PAO should hold annual\n      meetings to discuss the various requirements for all FMC systems to determine the\n      security requirements of protecting the PII residing within those systems. Those meetings\n      should discuss the following:\n\n   \xe2\x80\xa2     Complete inventory of systems and the type of data residing on those systems.\n   \xe2\x80\xa2     The safeguarding of data on those systems.\n   \xe2\x80\xa2     The management of the systems. For example, are the systems managed by a third party\n         or managed in-house by the FMC?\n   \xe2\x80\xa2     Electronic versus paper-based systems.\n   \xe2\x80\xa2     The types of controls deployed and whether or not this is commensurate with the data\n         residing on the systems.\n   \xe2\x80\xa2     PIAs for each system.\n   \xe2\x80\xa2     SORNs and routing uses for each system.\n\n   2. The system owners/managers, and as appropriate, system analyst or developer, should\n      prepare privacy threshold analyses (PTAs) or initial privacy assessments (IPAs) to\n\n                                                 7\n\x0c         identify PII in existing or proposed agency systems. Based on completed PTAs/IPAs, the\n         SAOP and CIO should work with the PAO to determine if PIAs are needed for those\n         systems that have not had a PIA completed. Furthermore, the Privacy/Freedom of\n         Information Act (FOIA) Officer should ensure that completed PIAs transmitted to\n         him/her from the SAOP and CIO is posted to the Commission\xe2\x80\x99s Internet website as\n         appropriate.\n\n\n\n           02 System of Records Notices and Routine Use Review\nThe Privacy Act of 1974 places restrictions on the ability of Federal agencies to share a system\nof records with third parties, including other agencies. However, the Privacy Act does recognize\nthe need of the government to share records in order to improve security, maintain accuracy and\nconsolidate resources. This is often accomplished through matching programs which allow\ncertain data elements in one system of records to be searched against records in another system\nin order to find any data matches. Such matches would link together the information from both\nsystems.\n\nThe Privacy Act contains a \xe2\x80\x9croutine use\xe2\x80\x9d exception which allows the disclosure of information\nwithout the notice or consent of the individual. Routine use is defined as \xe2\x80\x9cthe use of such record\nfor a purpose which is compatible with the purpose for which it was collected.\xe2\x80\x9d\n\n\xe2\x80\x9cA System of Records is a group of any records under the control of an agency from which\ninformation is retrieved by the name of the individual or by some identifying number, symbol or\nother identifying particular assigned to the individual."\n\nA System of Records Notice (SORN) informs the public of the existence of a system of records\nand describes the type of information that an agency will be collecting, who will be collecting\nthe information, how it will be safeguarded, the purpose for collecting such information, etc. It is\nan advanced notice to the public that must be given before an agency begins to collect, is given\naccess to or can retrieve personal information for a new system of records and must be published\nin the Federal Register. As long as the SORN contains a listing of the routine uses of the\ninformation, an agency is considered compliant with the Privacy Act.\n\nThe following system of record notices has been published in the Federal Register:\n\n   1.    FMC \xe2\x80\x93 1 (Personnel Security File \xe2\x80\x93 paper based system)\n   2.    FMC \xe2\x80\x93 2 (Non-Attorney Practitioner File \xe2\x80\x93 paper and electronic system)\n   3.    FMC \xe2\x80\x93 7 (Licensed Ocean Transportation Intermediaries Files \xe2\x80\x93 paper and electronic system)\n   4.    FMC \xe2\x80\x93 8 (Official Personnel Folder \xe2\x80\x93 electronic system)\n   5.    FMC \xe2\x80\x93 9 (Training Program Records \xe2\x80\x93 electronic system)\n   6.    FMC \xe2\x80\x93 10 (Desk Audit File \xe2\x80\x93 paper based system)\n   7.    FMC \xe2\x80\x93 14 (Medical Examination File \xe2\x80\x93 electronic system)\n   8.    FMC \xe2\x80\x93 16 (Classification Appeals File \xe2\x80\x93 electronic system)\n   9.    FMC \xe2\x80\x93 18 (Travel Orders / Vouchers File \xe2\x80\x93 paper based system)\n   10.   FMC \xe2\x80\x93 19 (Financial Disclosure Reports and Other Ethics Program Records \xe2\x80\x93 electronic system)\n   11.   FMC \xe2\x80\x93 22 (Records Tracking System \xe2\x80\x93 paper and electronic system)\n\n                                                       8\n\x0c   12.   FMC \xe2\x80\x93 24 (Informal Inquiries and Complaints Files \xe2\x80\x93 paper and electronic system)\n   13.   FMC \xe2\x80\x93 25 (Inspector General File \xe2\x80\x93 electronic system)\n   14.   FMC \xe2\x80\x93 26 (Administrative Grievance File \xe2\x80\x93 paper based system)\n   15.   FMC \xe2\x80\x93 28 (Equal Employment Opportunity Complaints Files \xe2\x80\x93 electronic system)\n   16.   FMC \xe2\x80\x93 29 (Employee Performance File System Records \xe2\x80\x93 electronic system)\n   17.   FMC \xe2\x80\x93 31 (Debt Collection Files \xe2\x80\x93 paper and electronic system)\n   18.   FMC \xe2\x80\x93 32 (Regulated Persons Index \xe2\x80\x93 electronic system)\n   19.   FMC \xe2\x80\x93 33 (Payroll/Personnel System \xe2\x80\x93 paper and electronic system)\n   20.   FMC \xe2\x80\x93 34 (Travel Charge Card Program \xe2\x80\x93 electronic system)\n   21.   FMC \xe2\x80\x93 35 (Transit Benefits File \xe2\x80\x93 electronic system)\n   22.   FMC \xe2\x80\x93 36 (SmartPay Purchase Charge Card Program \xe2\x80\x93 electronic system)\n\n\n\nAgencies are also required to periodically review their systems and ensure the SORN listing\nmaintained on the agency website is current. Agencies are also required to identify those\nsystems without a SORN and assess if there are PII records within those systems that should\nhave been communicated to the public via a SORN.\n\nCondition:\n\n   3. \xe2\x80\x9cRoutine Uses\xe2\x80\x9d are not described for the IT systems:\n\n   \xe2\x80\xa2     GSS Network\n   \xe2\x80\xa2     SERVCON\n   \xe2\x80\xa2     FMCDB\n\n   4. Currently, there are 3 systems without a published SORN, even though it is a requirement\n      that these systems should have an associated SORN that is published, thereby\n      communicating to the public at large, regarding the data collected.\n\n   \xe2\x80\xa2     GSS network\n   \xe2\x80\xa2     SERVCON\n   \xe2\x80\xa2     FMCDB\n\nCriteria:\n\nThe OMB provides guidance regarding publishing of system records to ensure the public\xe2\x80\x99s trust,\nas stated in OMB M-99-05, Instructions on complying with President\'s Memorandum of May\n14, 1998, "Privacy and Personal Information in Federal Records", section 4:\n\n\xe2\x80\x9cIn passing the Privacy Act, the Congress made a strong policy statement that in order to ensure\nfairness, there shall be no record keeping systems, the very existence of which is secret.\nTherefore, each agency shall review its operations to identify any de facto systems of records for\nwhich no system of records notice has been published. If the agency identifies any such\nunpublished systems of records, then the agency should publish a system of records notice for\nthe system promptly. Agencies shall implement appropriate measures (e.g., training) to ensure\nthat system of records are not inadvertently established, but instead are established in accordance\nwith the notice and other requirements of the Privacy Act.\xe2\x80\x9d\n\n                                                       9\n\x0c   1. Lastly, the OMB provides guidance on the periodic reviews of systems to ensure that\n      unpublished records are complete and accurate, as stated in OMB M-99-05, attachment\n      B:\n\n\xe2\x80\x9cThe Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a, the Act) requires agencies to inform the public of the\nexistence of systems of records containing personal information, to give individuals access to\nrecords about themselves in a system of records, and to manage those records in a way to ensure\nfairness to individuals in agency programs.\n\nFor the Privacy Act to work effectively, it is imperative that each agency properly maintain its\nsystems of records and ensure that the public is adequately informed about the systems of\nrecords the agency maintains and the uses that are being made of the records in those systems.\nTherefore, agencies must periodically review their systems of records and the published notices\nthat describe them to ensure that they are accurate and complete. OMB Circular A-130,\n"Management of Federal Information Resources," (61 Fed. Reg. 6428, Feb. 20, 1996) requires\nagencies to conduct periodic reviews, in accordance with the schedule in Appendix I of the\nCircular.\xe2\x80\x9d\n\n   2. Each agency shall conduct a thorough review of its systems of records, system of records\n      notices, and routine uses in accordance with the criteria and guidance below, as described\n      by OMB M-99-05, section 2:\n\n\xe2\x80\x9cNon-statutory disclosures created by administrative mechanisms should only be made when\nappropriate. Therefore, each agency shall review its "routine uses" to identify any routine uses\nthat are no longer justified, or which are no longer compatible with the purpose for which the\ninformation was collected. The Privacy Act requires agencies to include in their systems of\nrecords notices a description of the routine uses for which information in a system of records\nmay be disclosed. 5 U.S.C. \xc2\xa7 552a(e)(4)(D).\xe2\x80\x9d\n\nCause:\n\nOIT was not fully aware of its requirements and responsibilities with regard to SORNs and\nRoutine Use review.\n\nRisk:\n\nCurrently, the public is being misinformed regarding the listing of systems on the FMC website\nbecause the system listing is incomplete. The FMC is responsible to ensure that systems have\npublished SORNs so that the public may be adequately informed of the systems that are in the\nagency\xe2\x80\x99s inventory and the PII contained within those systems. Without knowing if there are any\nunpublished systems, the public at large will be misinformed with regard to the complete listing\nof systems presented by the FMC. Also, documenting the \xe2\x80\x9cRoutine Uses\xe2\x80\x9d enables IT to\nadequately protect the PII residing on systems. Without a full understanding of \xe2\x80\x9cRoutine Uses,\xe2\x80\x9d\nthe data may not be adequately protected.\n\n\n\n\n                                               10\n\x0cRecommendation(s):\n\n   3. The OIT should review all routine uses for the GSS Network, SERVCON, and the\n      FMCDB. If any of those routine uses are no longer appropriate, the OIT should work\n      with the PAO to delete those routine uses from the SORN and update accordingly on the\n      agency\xe2\x80\x99s website.\n\n   4. As the system manager/owner, the OIT, and as appropriate, system analyst or developer,\n      should prepare privacy threshold analyses (PTAs) and/or PIAs for the GSS Network,\n      SERVCON, and FMCDB to determine if any of these systems contain records of\n      individuals covered by the Privacy Act (i.e., contain PII). For each of these systems\n      where PII is identified and after SAOP/CIO review, the OIT should prepare for\n      publication, appropriate SORNs.\n\n\n\n                          03 Privacy Impact Assessments\nA Privacy Impact Assessment (PIA) is an analysis of how information is handled: (i) to ensure\nhandling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii)\nto determine the risks and effects of collecting, maintaining and disseminating information in\nidentifiable form in an electronic information system, and (iii) to examine and evaluate\nprotections and alternative processes for handling information to mitigate potential privacy risks.\n\nCondition:\n\n   5. PIAs are required to be updated every 3 years (or earlier if the system had a significant\n      change). PIAs are also required for new systems. A PIA has not been performed on one\n      system and the PIA is outdated for two additional systems. See below for details:\n\n   \xe2\x80\xa2   GSS Network \xe2\x80\x93 PIA last completed in 2008.\n   \xe2\x80\xa2   SERVCON \xe2\x80\x93 PIA last completed in 2008.\n   \xe2\x80\xa2   FMCDB \xe2\x80\x93 no PIA completed.\n\nCriteria:\n\n   1. The OMB has specific requirements regarding when and how a PIA should be conducted.\n      This criteria states the instances when a PIA shall be performed as noted by OMB\n      Memorandum 03-22 section II.B.2:\n\nThe E-Government Act of 2002 requires agencies to conduct a PIA. In general, PIAs are\nrequired to be performed and updated as necessary where a system change creates new privacy\nrisks. For example:\n\n   \xe2\x80\xa2   Conversions - when converting paper-based records to electronic systems;\n\n\n\n                                                11\n\x0c   \xe2\x80\xa2     Anonymous to Non-Anonymous - when functions applied to an existing information\n         collection change anonymous information into information in identifiable form;\n   \xe2\x80\xa2     Significant System Management Changes - when new uses of an existing IT system,\n         including application of new technologies, significantly change how information in\n         identifiable form is managed in the system;\n   \xe2\x80\xa2     Significant Merging - when agencies adopt or alter business processes so that government\n         databases holding information in identifiable form are merged, centralized, matched with\n         other databases or otherwise significantly manipulated;\n   \xe2\x80\xa2     New Public Access - when user-authenticating technology (e.g., password, digital\n         certificate, biometric) is newly applied to an electronic information system accessed by\n         members of the public;\n   \xe2\x80\xa2     Commercial Sources - when agencies systematically incorporate into existing\n         information systems databases of information in identifiable form purchased or obtained\n         from commercial or public sources. (Merely querying such a source on an ad hoc basis\n         using existing technology does not trigger the PIA requirement);\n   \xe2\x80\xa2     New Interagency Uses - when agencies work together on shared functions involving\n         significant new uses or exchanges of information in identifiable form, such as the cross-\n         cutting E-Government initiatives; in such cases, the lead agency should prepare the PIA;\n   \xe2\x80\xa2     Internal Flow or Collection - when alteration of a business process results in significant\n         new uses or disclosures of information or incorporation into the system of additional\n         items of information in identifiable form;\n   \xe2\x80\xa2     Alteration in Character of Data - when new information in identifiable form added to a\n         collection raises the risks to personal privacy (for example, the addition of health or\n         financial information).\n\nCause:\n\nThe OIT has not made updating the two PIAs (GSS Network and SERVCON) and completing a\nnew PIA (FMCDB) a priority because of competing demands on resources for.\n\nRisk:\n\nWith outdated PIAs for some of the OIT systems, FMC may not be deploying security controls\nthat are commensurate with the PII that resides on those systems.\n\nRecommendation(s):\n\n   5. The OIT should update the PIA for the GSS Network and SERVCON systems, and\n      complete a new PIA for the FMCDB. The PIAs should be approved and reviewed by the\n      SAOP.\n\n\n\n\n                                                12\n\x0c                                  Prior Year Recommendations\n#                        POA&M                                  Report        Open / Closed\n    Develop and implement policies and procedures to\n    require privacy impact assessments (PIA) to be\n    completed for each applicable information system.\n1                                                            Report A11-01A      Open\n    This was rolled into recommendation #7 on\n    Report A12-02.\n\n\n    Remove the FMC-18 (Form-18) PIA from the\n    publicly accessible web that incorrectly states, \xe2\x80\x9cA\n    risk assessment has been conducted and the\n    appropriate controls have been implemented\xe2\x80\x9d as no\n    authorization (formerly Certification & Accreditation\n2                                                            Report A11-01A      Closed\n    (C&A)) package was created for this system.\n\n    This was closed prior to the FISMA 2011 testing.\n\n\n    Create a planning document for multifactor\n    authentication that correlates with the IT capital\n    planning and investment control process. Utilize\n    multifactor authentication for remote authentication\n    for FMC systems to authenticate users\xe2\x80\x99 identifies for\n    Level 3 and 4 users in accordance with National\n3   Institute of Standards and Technology (NIST) 800-        Report A11-01A      Open\n    63.\n\n    This was rolled into recommendation #6 - Report\n    A12-02.\n\n\n    Create policies and/or procedures to log, verify and\n    reassess data extracts from database holding sensitive\n    information after 90 days.\n4                                                            Report A11-01A      Closed\n    Policies are now in place that addresses this\n    POA&M.\n\n\n\n\n                                                    13\n\x0cForm FMC-2      UNITED STATES GOVERNMENT                             FEDERAL MARITIME COMMISSION\n (Rev. 07-89)\n\n                Memorandum\n\n\nTO                  :   Inspector General                      DATE: November 29, 2012\n\n\n\n\nFROM            :       Senior Agency Official for Privacy (SAOP)\n                        Privacy Act Officer (PAO)\n\n\n\n\nSUBJECT : Joint Response on Evaluation of the FMC\xe2\x80\x99s FY 2012 Privacy and Data Protection\n\n\n                 We have reviewed the recommendations in the subject Privacy and Data Protection\n          Evaluation, and provide our responses below. Our responses assume adequate FY 2013 agency\n          funding and resources.\n\n\n          Finding #1: SAOP, CIO, OIT Director, and PAO Coordination\n\n          Recommendation #1: The system owners/managers, CIO, OIT Director, SAOP, and PAO should\n          hold annual meetings to discuss the various requirements for all FMC systems to determine the\n          security requirements of protecting the PII residing within those systems. Those meetings should\n          discuss the following:\n\n                    a. Complete inventory of systems and the type of data residing on those systems.\n                    b. The safeguarding of data on those systems.\n                    c. The management of the systems. For example, are the systems managed by a third party\n                       or managed in-house by the FMC?\n                    d. Electronic versus paper-based systems.\n                    e. The types of controls deployed and whether or not this is commensurate with the data\n                       residing on the systems.\n                    f. PIAs for each system.\n                    g. SORNs and routing uses for each system.\n\n\n                    Response: We concur in the recommendation. During FY 2013 the PAO (coordinating with\n                    the SAOP, CIO, and the OIT Director) will kick off a project to conduct an agency-wide System\n                    of Record (SOR) review on existing FMC systems and any proposed systems for compliance\n\x0c   with the Privacy Act. System owners/managers will be engaged in developing and providing\n   input for systems under their control/responsibility. Appropriate Federal Register Notices will\n   be drafted and published. Thereafter, the system owners/managers, CIO, SAOP, OIT Director,\n   and PAO will meet annually to discuss any changes to existing systems and anticipated new\n   systems, and security requirements for protecting PII residing in agency systems.\n\n\nRecommendation #2: The system owners/managers, and as appropriate, system analyst or\ndeveloper, should prepare privacy threshold analyses (PTAs) or initial privacy assessments (IPAs)\nto identify PII in existing or proposed agency systems. Base on completed PTAs/IPAs, the SAOP\nand CIO should work with the PAO to determine if PIAs are needed for those systems that have\nnot had a PIA completed. Furthermore, the Privacy/FOIA Act Officer should ensure that completed\nPIAs transmitted to him/her from the SAOP and CIO, are posted to the Commission\xe2\x80\x99s Internet\nwebsite as appropriate.\n\n   Response: We concur in the recommendation. In connection with the agency-wide SORN\n   review coordinated by the PAO noted in response to Recommendation #1, the SAOP/CIO will\n   oversee completion of PTAs for agency systems and proposed systems. Based on completed\n   PTAs, the SAOP and CIO will meet with the PAO to determine if PIAs are needed for agency\n   systems. The Privacy/FOIA Act Officer will ensure that completed PIAs transmitted to him/her\n   from the SAOP/CIO, are posted to the Commission\xe2\x80\x99s Internet website as appropriate.\n\n\nFinding #2: System of Records Notices and Routine Use Review\n\nRecommendation #3: The OIT should review all routine uses for the GSS Network, SERVCON,\nand the FMCDB. If any of those routine uses are no longer appropriate, the OIT should work with\nthe PAO to delete those routine uses from the SORN and update accordingly on the agency\xe2\x80\x99s\nwebsite.\n\n   Response: We concur in the recommendation. During FY 2013 an agency-wide project to\n   review agency System of Records, including the GSS Network, SERVCON, and FMCDB will\n   be conducted, with any necessary updates or publication of systems completed. (See\n   Response to Recommendation Number #1 above).\n\n\nRecommendation #4: As the system manager/owner, the OIT, and as appropriate, system\nanalyst or developer, should prepare privacy threshold analyses (PTAs) and/or PIAs for the GSS\nNetwork, SERVCON, and FMCDB to determine if any of these systems contain records of\nindividuals covered by the Privacy Act (i.e., contain PII). For each of these systems where PII is\nidentified and after SAOP/CIO review, the OIT should prepare for publication, appropriate SORNs.\n\n   Response: We concur in the recommendation and note that this recommendation will be\n   handled as part of our response to Recommendation Numbers 1 and 2 above.\n\n                                            2\n\x0cFinding #3: Privacy Impact Assessments\n\nRecommendation #5: The OIT should update the PIA for the GSS Network and SERVCON\nsystems, and complete a new PIA for the FMCDB. The PIAs should be approved and reviewed by\nthe SAOP/CIO.\n\n      Response: We concur in the recommendation and note that this recommendation will be\n      handled as part of our response to Recommendation Number 2 above.\n\n\n\n\n________________________                         _____________________\n/Austin L. Schmitt/                              /Karen V. Gregory/\nSenior Agency Official for Privacy               Privacy Act Officer\n\n\n\ncc:      Chief Information Officer\n         Director, Office of Information Technology\n\n\n\n\n                                             3\n\x0c'